b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    The Internal Revenue Service Should\n                 Implement an Efficient Internal Information\n                  Security Continuous Monitoring Program\n                       That Meets Its Security Needs\n\n\n\n                                     September 17, 2014\n\n                             Reference Number: 2014-20-083\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n and information determined to be restricted from public release has been redacted from this document.\n\n\n\nPhone Number / 202-622-6500\nE-mail Address / TIGTACommunications@tigta.treas.gov\nWebsite        / http://www.treasury.gov/tigta\n\x0c                                                    HIGHLIGHTS\n\n\nTHE INTERNAL REVENUE SERVICE                           Although the Treasury Department\xe2\x80\x99s intentions\nSHOULD IMPLEMENT AN EFFICIENT                          for consistency and efficiency are workable for\nINTERNAL INFORMATION SECURITY                          most of its offices and bureaus, TIGTA found\nCONTINUOUS MONITORING PROGRAM                          that, based on the large scale of the IRS\xe2\x80\x99s\n                                                       computer environment, a one-size-fits-all\nTHAT MEETS ITS SECURITY NEEDS\n                                                       approach does not provide the best security for\n                                                       the IRS. TIGTA also identified inefficiencies the\nHighlights                                             IRS will experience if it selects the\n                                                       recommended Treasury Department tool.\nFinal Report issued on                                 WHAT TIGTA RECOMMENDED\nSeptember 17, 2014\n                                                       TIGTA recommended that the IRS Chief\n                                                       Technology Officer continue to move forward\nHighlights of Reference Number: 2014-20-083\n                                                       and coordinate, as appropriate, with the\nto the Internal Revenue Service Chief\n                                                       Treasury Department to implement a stronger\nTechnology Officer.\n                                                       internal ISCM program that allows executives to\nIMPACT ON TAXPAYERS                                    make the most informed decisions that affect the\n                                                       security of the IRS network. This includes:\nThe IRS is in the process of implementing an           1) selecting and implementing an internal\nInformation Security Continuous Monitoring             dashboard, 2) taking advantage of the General\n(ISCM) program. When fully implemented, the            Services Administration\xe2\x80\x99s Blanket Purchase\nprogram will allow the IRS to continuously             Agreement through the Department of\nmonitor security controls of its computer assets       Homeland Security\xe2\x80\x99s CDM program to acquire\nin real time, thus improving the effectiveness of      products to ensure that gaps in coverage and\nthe safeguards and countermeasures to protect          tool enhancements of the ISCM program are\ntaxpayer information and information systems.          adequately addressed and best suited for the\n                                                       IRS environment, and 3) ensuring that tools\nWHY TIGTA DID THE AUDIT\n                                                       selected for use (such as the database scanning\nThis audit was initiated as part of our Fiscal         tool) are the most effective and make the most\nYear 2014 Annual Audit Plan and addresses the          efficient use of IRS resources.\nmajor management challenge of Security for\n                                                       IRS officials agreed with our recommendations\nTaxpayer Data and Employees. The overall\n                                                       and plan to continue coordinating with Treasury\nobjective of this review was to assess the\n                                                       to ensure that the IRS selects the most effective\ncurrent state of Continuous Diagnostics and\n                                                       and efficient security tools that meet the unique\nMitigation (CDM) program controls in place at\n                                                       needs of the IRS computing environment. The\nthe IRS.\n                                                       IRS also plans to take advantage of the General\nWHAT TIGTA FOUND                                       Services Administration\xe2\x80\x99s Blanket Purchase\n                                                       Agreement to acquire products best suited for\nAlthough implementation of the ISCM program            the IRS\xe2\x80\x99s environment.\nhas been slow across the Federal Government,\nthe IRS has been in compliance with                    The IRS also plans to establish an\nDepartment of Homeland Security and                    enterprise-wide ISCM integrated project team to\nDepartment of the Treasury guidelines.                 direct the selection and implementation of an\n                                                       integrated dashboard of the security scanning\nIn addition to the mandatory guidelines imposed        tools to ensure that stakeholders and decision\nby the Office of Management and Budget,                makers are well-informed to make risk-based\nTreasury Department officials have also                decisions and to pursue tool enhancements for\nmandated that their bureaus use only the               current tools and tool selections for gaps to\nTreasury Department\xe2\x80\x99s dashboard that will serve        ensure that the most cost-efficient method is\nas the official reporting for the ISCM program         used to the extent that funding is available.\nand use those security tools selected by\nTreasury Department officials for consistency.\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 17, 2014\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Internal Revenue Service Should Implement\n                             an Efficient Internal Information Security Continuous Monitoring\n                             Program That Meets Its Security Needs (Audit # 201320003)\n\n This report presents the results of our review to assess the current state of Continuous\n Diagnostics and Mitigation program controls in place at the Internal Revenue Service (IRS).\n This audit is included in the Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal\n Year 2014 Annual Audit Plan and addresses the major management challenge of Security\n for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Kent Sagara, Acting\n Assistant Inspector General for Audit (Security and Information Technology Services).\n\x0c                                 The Internal Revenue Service Should Implement an\n                                  Efficient Internal Information Security Continuous\n                                 Monitoring Program That Meets Its Security Needs\n\n\n\n\n                                              Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          The Internal Revenue Service Should Continue to\n          Move Forward in Implementing a Stronger Information\n          Security Continuous Monitoring Program .................................................... Page 4\n                    Recommendation 1:........................................................ Page 8\n\n          The Internal Revenue Service Should Leverage\n          the Blanket Purchase Agreement to Acquire Security\n          Tools Needed for Its Environment ................................................................ Page 8\n                    Recommendation 2: .................................................................. Page 12\n\n                    Recommendation 3:........................................................ Page 13\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 14\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 16\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 17\n          Appendix IV \xe2\x80\x93 National Institute of Standards and Technology\n          Security Automation Domains ...................................................................... Page 18\n          Appendix V \xe2\x80\x93 Office of Management and Budget Deadlines ...................... Page 20\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 23\n\x0c         The Internal Revenue Service Should Implement an\n          Efficient Internal Information Security Continuous\n         Monitoring Program That Meets Its Security Needs\n\n\n\n\n                   Abbreviations\n\nBPA          Blanket Purchase Agreement\nCDM          Continuous Diagnostics and Mitigation\nCONOPS       Concept of Operations\nDHS          Department of Homeland Security\neGRC         Enterprise Governance Risk and Compliance\nFISMA        Federal Information Security Management Act\nFY           Fiscal Year\nGSA          General Services Administration\nIRS          Internal Revenue Service\nISCM         Information Security Continuous Monitoring\nNIST         National Institute of Standards and Technology\nOMB          Office of Management and Budget\nTIGTA        Treasury Inspector General for Tax Administration\n\x0c                       The Internal Revenue Service Should Implement an\n                        Efficient Internal Information Security Continuous\n                       Monitoring Program That Meets Its Security Needs\n\n\n\n\n                                     Background\n\nThe need to know its current security posture at any given\npoint in time is vital for any organization. To strengthen          Information security\nthe Nation\xe2\x80\x99s cybersecurity posture, the Administration and    continuous monitoring (ISCM)\n                                                                 is defined as maintaining\nthe Office of Management and Budget (OMB) identified               ongoing awareness of\ncybersecurity as one of 14 Cross-Agency Priority Goals,             information security,\nwhich included continuous monitoring of all Federal             vulnerabilities, and threats\ninformation systems.                                             to support organizational\n                                                               risk management decisions.\nDuring Calendar Year 2013, the Federal Government has\ntaken actions to support and accelerate agency\nimplementation of effective risk management programs. In coordination with the OMB, the\nFederal Chief Information Officer\xe2\x80\x99s Council and the Committee on National Security Systems\nestablished the Joint Continuous Monitoring Working Group, which developed the\nU.S. Government Concept of Operations (CONOPS) for ISCM. This CONOPS supplements\nNational Institute of Standards and Technology (NIST) guidelines by providing a roadmap and\nmore specific implementation guidance to stakeholders across the Federal Government.\nThe ISCM is defined as maintaining ongoing awareness of information security, vulnerabilities,\nand threats to support organizational risk management decisions. The requirement to manage\ninformation security risk on a continuous basis includes the requirement to monitor the security\ncontrols in Federal information systems and the environments in which those systems operate on\nan ongoing, real-time basis. Figure 1 presents the ISCM security automation domains, as\ndefined by the NIST.\n\n\n\n\n                                                                                          Page 1\n\x0c                            The Internal Revenue Service Should Implement an\n                             Efficient Internal Information Security Continuous\n                            Monitoring Program That Meets Its Security Needs\n\n\n                             Figure 1: Security Automation Domains\n\n\n\n\n                             Source: NIST Special Publication 800-137 Information\n                             Security Continuous Monitoring (ISCM) for Federal\n                             Information Systems and Organizations.\n\nAppendix IV presents a brief explanation of each security automation domain. To fully\nimplement the ISCM across the Government, the OMB has instructed agencies to develop and\nmaintain an ISCM strategy and establish an ISCM program consistent with existing statutes,\nOMB policy, NIST guidelines, and the CONOPS. To assist with this effort from a\nGovernmentwide perspective, the Department of Homeland Security (DHS) has established a\nContinuous Diagnostics and Mitigation (CDM) program.\nAgencies shall implement continuous monitoring of\xc2\xa0security controls as part of a phased\napproach through Fiscal Year (FY) 2017. In accordance with the CONOPS, Phase 1 of the\nDHS CDM program, which included the Federal dashboard,1 requires automating the following\nsubsets of information security capabilities:\n    \xef\x82\xb7   Hardware Asset Management (part of Asset Management).\n    \xef\x82\xb7   Software Asset Management (part of Asset Management).\n    \xef\x82\xb7   Configuration Management.\n    \xef\x82\xb7   Vulnerability Management.\n\n\n1\n In management information systems, a dashboard is an easy to read, often single page, real-time user interface,\nshowing a graphical presentation of the current status (snapshot) and historical trends of an organization\xe2\x80\x99s key\nperformance indicators to enable instantaneous and informed decisions to be made at a glance.\n                                                                                                           Page 2\n\x0c                          The Internal Revenue Service Should Implement an\n                           Efficient Internal Information Security Continuous\n                          Monitoring Program That Meets Its Security Needs\n\n\nUnder this program, the DHS coordinated with the General Services Administration (GSA) to\nestablish a Governmentwide Blanket Purchase Agreement (BPA) under Multiple Award\nSchedule 70, which Federal, State, local, and tribal governments can leverage to deploy a basic\nset of capabilities to support continuous monitoring of security controls in Federal information\nsystems and environments of operation. The BPA, awarded on August 12, 2013, provides a\nconsistent, Governmentwide set of ISCM program tools to enhance the Federal Government\xe2\x80\x99s\nability to identify and respond, in real time or near real time, to the risk of emerging cyberthreats.\nIt also capitalizes on strategic sourcing to minimize the costs associated with implementing\nrequirements of the Risk Management Framework.2\nThe Internal Revenue Service\xe2\x80\x99s (IRS) ISCM program is managed by the Information Technology\norganization\xe2\x80\x99s Cybersecurity office. In addition to the Cybersecurity office, program\nimplementation is supported by the Information Technology organization\xe2\x80\x99s Enterprise\nOperations, User Network Services, and Enterprise Services offices for Phase 1 of the ISCM\nprogram.\nThis review was performed with information obtained from the IRS\xe2\x80\x99s Information Technology\norganization, including the offices of Cybersecurity, Enterprise Operations, Enterprise Services,\nand User Network Services, in New Carrollton, Maryland, during the period November 2013\nthrough May 2014. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n2\n  The Risk Management Framework provides a disciplined and structured process that integrates information\nsecurity and risk management activities into the systems development life cycle. The Risk Management Framework\nsteps include: categorize, select, implement, assess, authorize, and monitor.\n                                                                                                      Page 3\n\x0c                           The Internal Revenue Service Should Implement an\n                            Efficient Internal Information Security Continuous\n                           Monitoring Program That Meets Its Security Needs\n\n\n\n\n                                     Results of Review\n\nThe Internal Revenue Service Should Continue to Move Forward in\nImplementing a Stronger Information Security Continuous Monitoring\nProgram\nThe OMB issued Memorandum 10-28, Clarifying Cybersecurity Responsibilities and Activities\nof the Executive Office of the President and the Department of Homeland Security (DHS), which\ndefines DHS activities within the Federal Government. DHS activities will include (but will not\nbe limited to):\n    \xef\x82\xb7   Overseeing the Governmentwide and agency-specific implementation of and reporting on\n        cybersecurity policies and guidance.\n    \xef\x82\xb7   Overseeing and assisting Governmentwide and agency-specific efforts to provide\n        adequate, risk-based, and cost-effective cybersecurity.\n    \xef\x82\xb7   Overseeing the agencies\xe2\x80\x99 compliance with the Federal Information Security Management\n        Act (FISMA)3 and developing analyses for the OMB to assist in the development of the\n        FISMA annual report.\n    \xef\x82\xb7   Overseeing the agencies\xe2\x80\x99 cybersecurity operations and incident response and providing\n        appropriate assistance.\n    \xef\x82\xb7   Annually reviewing the agencies\xe2\x80\x99 cybersecurity programs.\nAll departments and agencies are required to coordinate and cooperate with the DHS as they\ncarry out their cybersecurity responsibilities. The DHS is currently coordinating Federal\nGovernment efforts to roll out agencies\xe2\x80\x99 ISCM programs and is using its CDM program as a\nmeans for agencies to purchase tools needed for their ISCM programs.\nAlthough the IRS is complying with initial DHS and Department of the Treasury requests, which\nhave satisfied some of the OMB deadlines to date, the Federal Government process to acquire\nvendor tools and dashboards has taken longer than expected. The DHS has scheduled meetings\namong agencies, vendors, and bidders into FY 2015. As a result, Treasury Department officials\ndo not expect to meet any additional OMB deadlines that were issued in November 2013 on the\nrollout and implementation of the first three security automation domains of the ISCM program.\nAppendix V presents the OMB ISCM program deadlines and the status of required actions by the\nIRS.\n\n3\n  Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. \xc2\xa7 3541, et seq.) is a United States\nfederal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub. L. 107\xe2\x80\x93347, 116 Stat. 2899).\n                                                                                                         Page 4\n\x0c                            The Internal Revenue Service Should Implement an\n                             Efficient Internal Information Security Continuous\n                            Monitoring Program That Meets Its Security Needs\n\n\nThe IRS has made progress implementing its ISCM program\nProgress has been made in implementing the IRS\xe2\x80\x99s ISCM program, although the progress is still\nin the early stages of development. For example, in September 2013, the IRS released an\nISCM Strategy document that defines and develops an IRS-specific ISCM strategy to be used\nto establish and implement an ISCM program. This strategy discusses the key IRS roles, the\nofficials who have a major part in the program, and the requirements and activities at each\norganizational tier. Currently, the IRS is working on an ISCM plan that better defines the current\ninitiatives and establishes a clear vision for the future state of the IRS\xe2\x80\x99s ISCM program. The IRS\nstated that going forward, the ISCM plan will be a living document continually addressing and\nmonitoring the IRS\xe2\x80\x99s information technology environment.\nOMB Memorandum 14-03, Enhancing the Security of Federal Information and Information\nSystems, and the CONOPS both have issued deadlines and milestones for agencies to implement\nPhase 1 by FY 2014. However, because the Federal Government rollout is behind schedule, the\nIRS and other agencies will not meet all of these deadlines. For example, the DHS has not\nselected a Federal dashboard to report ISCM program metrics. The DHS has also set a schedule\ninto FY 2015 for agencies and vendors to meet in private to determine individual solutions for\ntheir ISCM programs.\nDespite the Federal delay in ISCM program implementation, the IRS must be in compliance with\nboth Treasury Department and OMB guidelines for its ISCM program. The IRS has been\nparticipating along with other bureaus in Treasury Department meetings on the ISCM program\nand in DHS training. The IRS has satisfied OMB requirements for agencies that include:\n      \xef\x82\xb7   Creating a strategy to implement the ISCM program.\n      \xef\x82\xb7   Identifying specific individuals to manage the agency\xe2\x80\x99s ISCM program.\n      \xef\x82\xb7   Identifying resource and skill requirement gaps to manage and coordinate the internal\n          ISCM program.\n      \xef\x82\xb7   Coordinating with the Treasury Department on the CDM program foundational survey\n          that was sent to the DHS and signing the Treasury Department Memorandum of\n          Agreement with the DHS.4\nThe IRS has many tools in place for Phase 1 of the ISCM program that sustain current controls\nfor identifying security vulnerabilities. The IRS is taking the initiative to enhance its current\ntools and is planning the integration of a comprehensive, enterprise-wide information technology\nservice management solution that includes the Enterprise Configuration Management System;\nthe Knowledge, Incident, Service Asset Management System; the End-2-End Monitoring and\nEvent Management System; and the Work Request Management System. By following the\n\n\n4\n    See Appendix V for the OMB deadlines.\n                                                                                            Page 5\n\x0c                           The Internal Revenue Service Should Implement an\n                            Efficient Internal Information Security Continuous\n                           Monitoring Program That Meets Its Security Needs\n\n\nInformation Technology Infrastructure Library Process Model,5 the IRS will be creating a more\nrobust system by integrating asset management, configuration management, change\nmanagement, and service management.\n\nMoving forward, the IRS should implement an internal dashboard\nIt is the DHS\xe2\x80\x99s responsibility to establish a Federal dashboard for the ISCM program, which will\nprovide a Governmentwide view of the ISCM program as well as the technical specifications and\nguidance for agencies on the requirements for submitting information to this Federal dashboard.\nHowever, the security-related information gathered for input to the Federal dashboard will not\nprovide the comprehensive information required to make risk-based decisions about the\neffectiveness of all selected and implemented security controls by the agencies. Additional\nsecurity-related information will be needed to make fully informed risk-based decisions\nregarding specific information systems. Therefore, an internal IRS dashboard or similar tool\nwould give a comprehensive view of all the systems, and not just the metrics reported to the\nFederal dashboard, so that risk-based decisions can be made when security vulnerabilities arise.\nWith the release of the IRS\xe2\x80\x99s ISCM Strategy document, the Treasury Department has been a\nconstant guide throughout the ISCM program process. In October 2013, the Treasury\nDepartment issued a memorandum stating that a continuous monitoring dashboard would be\nused at the Treasury Department level for all bureaus, which would save the bureaus the expense\nof having to purchase their own dashboard. The dashboard will remain at the Treasury\nDepartment\xe2\x80\x99s Government Security Operations Center, and all Treasury Department bureaus will\nfeed information from each of the security automation domains into this dashboard.\nThe DHS is responsible for the purchase and rollout of the Federal dashboard for the\nISCM program that will include both Federal and agency-level metrics for the entire Federal\nGovernment. However, the DHS has not selected a dashboard product. Based on DHS\ncoordination, Treasury Department officials have estimated that the selection of a Federal\ndashboard and the completion of Phase 1 of the ISCM program implementation will not be\nknown until the third quarter of FY 2015.\nAlthough the IRS has many security tools in place to satisfy the requirements for Phase 1 of the\nISCM program, the reports from these tools are sent to various dashboards or directly to\nstakeholders and not to a single dashboard that could provide consistency in reporting and allow\ndecision makers to see a comprehensive view. Without a main control point for consolidating\nsecurity tool metrics, critical information necessary for making risk-based decisions may be\noverlooked, and according to OMB Memorandum 14-03, all agencies are ultimately responsible\nfor security vulnerabilities within their agencies. The OMB has set specific ISCM program\n\n5\n The Information Technology Infrastructure Library is a set of practices for information technology service\nmanagement that focuses on aligning information technology services with the needs of business. It is used to\ndemonstrate compliance and to measure improvement, including a process model that organizations can use for\nimplementing their practices.\n                                                                                                          Page 6\n\x0c                            The Internal Revenue Service Should Implement an\n                             Efficient Internal Information Security Continuous\n                            Monitoring Program That Meets Its Security Needs\n\n\nimplementation deadlines for the agencies once the DHS dashboard is selected. The following\ndeadlines are dependent on the Federal dashboard being selected:\n    \xef\x82\xb7    Ensure that all Phase 1 products necessary to meet DHS reporting requirements provide\n         data compatible with the Federal dashboard maintained by the DHS.\n    \xef\x82\xb7    Complete installation of agency- and bureau/component-level dashboards.\n    \xef\x82\xb7    Begin submitting automated data feeds for Phase 1 focus areas to the Federal dashboard.\nAlthough the IRS has not selected a dashboard for its ISCM program, it has options for the\nselection. Currently, the IRS is implementing a business management tool, RSA Archer\nenterprise Governance Risk and Compliance (eGRC),6 which will be used as a compliance\ndashboard. Although the Treasury Inspector General for Tax Administration (TIGTA) did not\nevaluate the RSA Archer eGRC as a risk-based dashboard, it is a viable option according to the\nIRS. The Cybersecurity office selected the RSA Archer eGRC because of its high rating by\nGartner as an eGRC tool, and since the IRS\xe2\x80\x99s selection, the DHS has included it in its BPA.\nRisk prioritization is an area that will eventually be portrayed in the RSA Archer eGRC. It will\nhelp management quantify various risks based on the critical level of the system or server.\nThe IRS currently uses the RSA Archer eGRC platform that monitors contractor training, and\nTIGTA and Government Accountability Office reviews. The IRS has also begun piloting the\nintegration of a scanning tool into the RSA Archer eGRC so that the metrics of this tool can be\nrolled up directly into the dashboard. This dashboard could be used for the IRS\xe2\x80\x99s ISCM program\nto support risk-based decisions by stakeholders to assess the vulnerabilities identified by the\nsecurity scanning tools.\nDuring our review, funding for the RSA Archer eGRC was approved to obtain more server\ncapacity. However, as tools are integrated into the dashboard, whether for the ISCM program or\ncompliance monitoring, server capacity could be a future problem and may prohibit the\nintegration of more scanning tools into the dashboard, which could limit the amount of metrics\nand affect stakeholders\xe2\x80\x99 decisions if the metrics do not include all systems or mitigating factors.\nAs another option, the IRS has access to the GSA\xe2\x80\x99s BPA through the DHS CDM program.\nThe IRS is able to select a dashboard from the BPA if it better meets its internal requirements.\nAlthough the Treasury Department foresees that the Federal dashboard will not be selected until\nwell into FY 2015, the IRS may find a more cost-efficient interim dashboard while waiting for\nthe Federal selection in the upcoming fiscal year.\nAlthough the Treasury Department has issued Treasury Chief Information Officer\nMemorandum 14-02, Standard Tool Selection for Automated Information Security Continuous\n\n\n6\n  RSA Archer eGRC is a flexible enterprise eGRC framework application that allows organizations to tailor their\nunique requirements, create supporting applications, and integrate multiple data sources without touching a single\nline of code.\n                                                                                                             Page 7\n\x0c                            The Internal Revenue Service Should Implement an\n                             Efficient Internal Information Security Continuous\n                            Monitoring Program That Meets Its Security Needs\n\n\nMonitoring (ISCM), stating that there will be one dashboard to report ISCM program metrics for\nthe Treasury Department, Treasury Department officials agreed that given the size and\ncomplexity of the IRS\xe2\x80\x99s computer environment, an IRS internal dashboard would give IRS\nstakeholders a comprehensive view of the status of IRS systems, allowing for a more secure\nenvironment. As a courtesy, the IRS should coordinate with Treasury Department officials on\nthe selection of its internal dashboard and the metrics integration with the Treasury Department\ndashboard.\n\nRecommendation\nThe Chief Technology Officer should continue to move forward and coordinate, as appropriate,\nwith the Treasury Department to implement a stronger internal ISCM program that allows\nexecutives to make the most informed decisions that affect the security of the IRS network by\ntaking the following action.\nRecommendation 1: The Chief Technology Officer should select and implement an\nintegrated dashboard of the security scanning tools to allow stakeholder and decision makers to\nmake well-informed risk-based decisions.\n         Management\'s Response: The IRS agreed with our recommendation. The\n         Chief Technology Officer will select and implement an integrated dashboard of the\n         security scanning tools to allow stakeholders and decision makers to make well-informed\n         risk-based decisions by establishing an enterprise-wide integrated project team to direct\n         the IRS\xe2\x80\x99s ISCM initiative. Based on the future direction of the ISCM integrated project\n         team, the IRS will select and implement an integrated, local dashboard of its security\n         scanning tools.\n\nThe Internal Revenue Service Should Leverage the Blanket Purchase\nAgreement to Acquire Security Tools Needed for Its Environment\nAs the largest agency within the Treasury Department, the IRS has numerous systems and\nplatforms to administer the Nation\xe2\x80\x99s tax system. Compared with other Treasury Department\nbureaus, the IRS has far more systems and software, many of which dwarf other Treasury\nDepartment bureaus\xe2\x80\x99 systems, with 150 FISMA reportable Major Applications and General\nSupport Systems,7 more than 7,000 servers, and more than 100,000 workstations. In addition,\n\n7\n  The FISMA requires agencies to develop and maintain an inventory of major information systems operated by or\nunder the control of the agency. The FISMA considers the following as \xe2\x80\x9creportable\xe2\x80\x9d information systems:\n1) the General Support System is an interconnected set of information resources under the same direct management\ncontrol that shares common functionality and normally includes hardware, software, information, data, applications,\ncommunications, and people and 2) the Major Application is an application that requires special attention to security\ndue to the risk and magnitude resulting from the loss, misuse, or unauthorized access to or modification of the\ninformation in the application.\n                                                                                                             Page 8\n\x0c                        The Internal Revenue Service Should Implement an\n                         Efficient Internal Information Security Continuous\n                        Monitoring Program That Meets Its Security Needs\n\n\nthe IRS\xe2\x80\x99s computer environment is complex and varied, with different software and hardware\nproducts for various computer components. To require an agency with approximately\n93,000 employees and with responsibility for millions of taxpayer records to include the\npurchasing of tools in a one-size-fits-all process may not be the best approach for the IRS and\ncould possibly slow any progress on the implementation of the ISCM program and result in the\nrisk of allowing gaps in the security of critical systems.\nAs such, the IRS has security tools in place that address the first three security automation\ndomains required in Phase 1 and the Patch Management security automation domain as well.\nWith a complex computer environment that includes various network devices, applications,\ndatabases, hardware, software, middleware, and operating system platforms, the IRS may need to\nuse more than one type of security tool for identifying, tracking, and preventing vulnerabilities.\nThese tools are an integral part of identifying security vulnerabilities over the IRS\xe2\x80\x99s numerous\nsystems and networks.\nIn efforts to ensure that the bureaus are compliant with the ISCM program as required by the\nOMB, the Treasury Department is spearheading the implementation by holding periodic\nmeetings with the bureaus to streamline the tool selection for each of the security automation\ndomains in Phase 1. The Treasury Department has been collecting information from the various\nbureaus regarding the ISCM program tools to be used to fulfill DHS\xe2\x80\x99s Task Order 1 of the\nCDM program and the three security automation domains of Phase 1 outlined in the Joint\nContinuous Monitoring Working Group\xe2\x80\x99s CONOPS document released in 2013.\nDHS\xe2\x80\x99s Task Order 1 includes the three security automation domains identified in the CONOPS\nas Asset Management broken down as Hardware and Software Asset Management,\nConfiguration Management, and Vulnerability Management. Task Order 1 also identifies web\nand code scanning tools.\nThe OMB issued a memorandum dated November 2013 that outlines the due dates for the\nfollowing year for every agency and the parameters that must be met in implementing the\nISCM program. In addressing gaps, agencies should leverage, to the extent practicable, the\nGSA BPA. As stated in the memorandum and outlined in the CONOPS, agencies have the\ndiscretion to implement the tools necessary for their ISCM program technical architecture.\n   1. Leveraging the services and products offered by the DHS CDM program;\n   2. Leveraging the agency\xe2\x80\x99s existing products and services; and/or\n   3. Implementing a hybrid approach by which agencies can leverage the DHS CDM program\n      to procure products but implementing it using their own hardware.\nFor consistency, the Treasury Department is mandating bureaus use the tool it selected for\nofficial reporting for the ISCM program, even if another tool is better suited for a specific\nenvironment or performs the same function as the mandated tool. The Treasury Department\nstated that the purpose of this request is to have all information consistent among the bureaus\n\n                                                                                            Page 9\n\x0c                             The Internal Revenue Service Should Implement an\n                              Efficient Internal Information Security Continuous\n                             Monitoring Program That Meets Its Security Needs\n\n\nwhen feeding information to the dashboard at the Treasury Department. With the variety of tools\noffered by numerous vendors, Treasury Department officials are working to coordinate with\nbureaus to streamline the selection process. However, this process and purchasing of tools has\nbeen slow at best. Currently, Treasury Department officials have selected only one tool for\nPhase 1.\nOn March 25, 2014, the Treasury Department issued Treasury Chief Information Officer\nMemorandum 14-02 on CDM program tool standardization. The memorandum states that when\nthe procurement process is completed and tools are selected, the Treasury Department standard\nmandatory CDM program tools will be deployed across bureau infrastructures either by a DHS\nservice provider/integrator or by the bureaus themselves. Treasury Department officials have\ncollected these preferences from each bureau already. The bureaus will be responsible for the\noperation of the CDM program tools deployed in their environments. The bureaus may continue\nto supplement the Treasury Department standard tools with their own security tools, provided\nthat the Treasury Department standard CDM program tools retain budgetary priority and are free\nof technical interference from the bureaus\xe2\x80\x99 tools.\nAlthough efforts to streamline tools for efficiency and consistency could be possible, security\nshould take precedence and is the backbone to the ISCM program. After discussing the inherent\nrisks associated with the overall size of the IRS and the numerous systems containing taxpayer\ninformation, Treasury Department officials agreed that security should be the main priority, and\nnot consistency, when implementing an ISCM program. To assist in this effort, the Treasury\nDepartment suggested that the IRS leverage the BPA to acquire the tools necessary for\nidentifying security vulnerabilities in the IRS environment. Treasury Department officials\nrequested that the IRS coordinate with them when acquiring tools to determine the best cost\nsavings.\n\nInefficiencies could result if the IRS selects the recommended Treasury\nDepartment tool\nIn the fall of 2013, the Treasury Department selected DbProtect as the official tool for database\nscanning for the bureaus. The Treasury Department requested 5,000 licenses of DbProtect\nthrough the DHS\xe2\x80\x99s BPA with the GSA. Of the licenses requested, the DHS informed the\nTreasury Department that it would only receive 950 licenses. As a result, the Treasury\nDepartment will need to determine which bureaus will receive licenses and the approximate\nnumber for each.\nThrough discussions with IRS officials, we were informed that the IRS has moved away from\nDbProtect and is now using Guardium for its database scanning. Although neither product was\nan \xe2\x80\x9cout-of-the-box\xe2\x80\x9d8 solution, according to the IRS, Guardium appeared to be the more practical\n\n8\n Out-of-the-box feature or functionality, particularly in software, is a feature or functionality of a product that works\nimmediately after installation without any configuration or modification. In this situation, the IRS would need to\nconfigure the software to make it a viable solution for its environment.\n                                                                                                               Page 10\n\x0c                          The Internal Revenue Service Should Implement an\n                           Efficient Internal Information Security Continuous\n                          Monitoring Program That Meets Its Security Needs\n\n\nand cost-effective choice for IRS mainframe database scanning. The IRS has invested\nsignificant resources in Guardium over the last three years to make it suitable to the IRS\nscanning environment.\nIf the IRS were to stop using Guardium and renew a contract with DbProtect, it would have\nwasted considerable funds to adapt Guardium as a database scanning tool, including the time and\neffort attributed to making the Guardium product a workable solution. Furthermore, additional\ntime and resources would be required to make DbProtect a capable solution, with no assurance\nthat it will be comparable to that of Guardium.\nRequiring the IRS to adopt a technology that does not best suit its security environment could\ninhibit its ability to implement a robust ISCM program strategy and potentially force the IRS to\ninvest additional time and resources in order to comply with Treasury Department requirements.\nTo require that the IRS purchase and maintain more than one tool to scan the same operating\nsystem is an inefficient use of resources.\n\nThe IRS lacks an enterprise-wide software management system\nThe IRS does not have an enterprise-wide software management system. As part of Phase 1 of\nthe ISCM program, the Asset Management security automation domain includes Software Asset\nManagement. Although the IRS\xe2\x80\x99s ISCM Strategy document states that the IRS has tools to\nidentify or discover software on the networks, we found that an enterprise-wide management\nsystem for software was not in place.\nIn prior TIGTA reviews9 addressing workstations, servers, and mainframes, TIGTA found that\nthe IRS lacks an enterprise-wide repository and organizational structure for software\nmanagement. The IRS has not invested in the resources to develop and implement an effective\nsoftware asset management program. In response to TIGTA\xe2\x80\x99s reports, the IRS stated that\none tool cannot possibly track, discover, and manage software. Therefore, the IRS is currently\nworking on a toolkit to implement an enterprise-wide software management program. In\naddition, a recently completed MITRE Corporation gap and overlap security tool analysis for the\nIRS found that the IRS lacks tools for detecting unauthorized software and security setting\ncompliance on perimeter firewalls and proxies, wireless access points, and handheld devices.\nAccording to DHS training, the purpose of software asset management is to identify\nunauthorized software on devices that is likely to be used by attackers as a platform from which\nto extend compromise of the network. Security scans should target software products and\nexecutables (individual program files). Agencies should maintain a list of authorized software at\nboth the product and executable level and treat other software actually on the network as a\n\n\n9\n TIGTA, Ref. No. 2013-20-025, Desktop and Laptop Software License Management Is Not Being Adequately\nPerformed (June 2013); TIGTA, Ref. No. 2014-20-002, The Internal Revenue Service Should Improve Mainframe\nSoftware Asset Management and Reduce Costs (Feb. 2014); and TIGTA, Ref. No. 2014-20-042, The Internal\nRevenue Service Should Improve Server Software Asset Management and Reduce Costs (Sept. 2014).\n                                                                                                  Page 11\n\x0c                            The Internal Revenue Service Should Implement an\n                             Efficient Internal Information Security Continuous\n                            Monitoring Program That Meets Its Security Needs\n\n\ndefect. The agency should remove, authorize/assign, or accept the risk for the other software\nclassified as a defect.\nThe IRS needs tools to cover gaps for the ISCM Software Asset Management security\nautomation domain. Without the necessary security tools to detect and remove unauthorized\nsoftware, the IRS is vulnerable to security risks and the exploitation of IRS systems.\n\nThe IRS should enhance security tools currently in use\nCurrently, the IRS is using many security tools required for Phase 1 of the ISCM program to\naddress the first three security automation domains, such as a database scanning, web and code\nscanning, laptop and server configuration scanning, unauthorized hardware and software\nscanning, and security network scanning. However, the IRS discovered that these tools may\nneed additional resources to enrich the current tool capability. The IRS has the option to use the\nBPA to improve the security of its ISCM program by enhancing tools already in use.\nSome of these tools could also be used in a broader sense; for example, one of the security tools\nthat the IRS owns is BDNA Technopedia Discover\xe2\x84\xa210 for asset discovery. However, the part of\nBDNA that could be enhanced is BDNA Normalize.\xe2\x84\xa2 Normalize will allow raw data to be\nrecognized in a common language between systems. Normalize also aligns and updates\ninconsistent data such as vendor names, product names, product version, etc., to provide a\nconsistent view into data across multiple information technology systems. With Normalize, the\nIRS could enhance the language between the BDNA tool and another IRS scanning tool\ncurrently in use to compare the scanning results of assets. The IRS could take advantage of the\nBPA to acquire the additional software to connect the two scanning tools. By enhancing the\ntools, the data are easily recognized and shared between the tools in a common way, thereby\nallowing stakeholders to make informed risk decisions.\nSecurity will be improved by enhancing the existing tools and adding additional resources for the\ntools to operate optimally. Without these enhancements, the tools could allow vulnerabilities\nthat might otherwise be identified and mitigated.\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 2: Take advantage of the GSA BPA through the DHS\xe2\x80\x99s CDM program to\nacquire products to ensure that gaps in coverage and tool enhancements of the ISCM program\nare adequately addressed and best suited for the IRS environment.\n\n\n\n10\n  Technopedia Discover can scan assets across multiple data centers and firewall zones. It quickly discovers,\nidentifies, and categorizes more than 450,000 types of hardware and software products to provide trusted, complete,\nand enriched information technology inventory information.\n                                                                                                          Page 12\n\x0c                        The Internal Revenue Service Should Implement an\n                         Efficient Internal Information Security Continuous\n                        Monitoring Program That Meets Its Security Needs\n\n\n       Management\'s Response: The IRS agreed with our recommendation. The Chief\n       Technology Officer will take advantage of the GSA BPA to acquire products to ensure\n       that gaps in coverage and tool enhancements are adequately addressed and best suited for\n       the IRS environment. The Chief Technology Officer will establish an enterprise-wide\n       integrated project team to direct the IRS\xe2\x80\x99s ISCM initiative. Based on the future direction\n       of the ISCM integrated project team and the tools analysis already completed, the IRS\n       will pursue tool enhancements for current tools and tool selections for gaps in the most\n       efficient method to the extent funding is available.\nRecommendation 3: Continue to coordinate with the Treasury Department to ensure that the\ntools selected for use (including the database scanning tool) are the most effective and make the\nmost efficient use of IRS resources.\n       Management\'s Response: The IRS agreed with our recommendation. The Chief\n       Technology Officer will continue to coordinate with Treasury to ensure that the IRS\n       selects the most effective and efficient security tools in terms of cost and to fully ensure\n       that all unique technical needs within the IRS computing environment are addressed.\n\n\n\n\n                                                                                             Page 13\n\x0c                       The Internal Revenue Service Should Implement an\n                        Efficient Internal Information Security Continuous\n                       Monitoring Program That Meets Its Security Needs\n\n\n                                                                                  Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nOur overall objective was to assess the current state of CDM program controls in place at the\nIRS. To accomplish our overall goal, we:\nI.     Determined whether CDM program controls surrounding the Asset Management security\n       automation domain were working as intended.\n       A. Determined the current state of CDM program controls for the Asset Management\n          security automation domain and whether the current controls are effective and\n          compliant with applicable guidance.\n       B. Determined whether proposed CDM program controls and the timeline for\n          implementation of these controls are compliant with applicable guidance.\nII.    Determined whether CDM program controls surrounding the Configuration Management\n       security automation domain are working as intended.\n       A. Determined the current state of CDM program controls for the Configuration\n          Management security automation domain.\n       B. Determined whether proposed CDM program controls and the timeline for\n          implementation of these controls are compliant with applicable guidance.\nIII.   Determined whether CDM program controls surrounding the Patch Management security\n       automation domain are working as intended. (Note: This security automation domain\n       was not a part of Phase 1 mandated by the OMB. Although we reviewed this area\n       because it was in the IRS\xe2\x80\x99s strategy, we did not report on this test.)\n       A. Determined the current state of CDM program controls for the Patch Management\n          security automation domain.\n       B. Determined whether proposed CDM program controls and the timeline for\n          implementation of these controls are compliant with applicable guidance.\nIV.    Determined whether CDM program controls surrounding the Vulnerability Management\n       security automation domain are working as intended.\n       A. Determined the current state of CDM program controls for the Vulnerability\n          Management security automation domain.\n       B. Determined whether proposed CDM program controls and the timeline for\n          implementation of these controls are compliant with applicable guidance.\n\n\n                                                                                         Page 14\n\x0c                       The Internal Revenue Service Should Implement an\n                        Efficient Internal Information Security Continuous\n                       Monitoring Program That Meets Its Security Needs\n\n\nV.     Assessed the timing for full implementation of the CDM program.\n       A. Determined whether the IRS has received appropriate guidance from the Department\n          of the Treasury.\n       B. Determined whether the IRS has made adequate progress in development of the\n          remaining security automation domains.\n       C. Determined any setbacks and hurdles experienced in implementing the CDM\n          program.\n       D. Determined how the future-state vendors will be selected and assessed the potential\n          for fraudulent manipulation of this process by the IRS.\n       E. Determined the status of the remaining seven security automation domains.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined that the\nfollowing internal controls were relevant to our audit objective: the OMB, the Joint Continuous\nMonitoring Working Group\xe2\x80\x99s CONOPS, the NIST, and the Treasury Department guidelines for\ncontinuous monitoring and the IRS\xe2\x80\x99s efforts to implement these controls in order to determine\nnear real-time security of the IRS networks and data to allow ongoing authorizations and\nrisk-based decisions. We evaluated these controls by conducting interviews and meetings,\nobserving tools, and reviewing documentation with cybersecurity management and business\nowners at the IRS responsible for securing the Asset Management, Configuration Management,\nand Vulnerability Management security automation domains.\n\n\n\n\n                                                                                        Page 15\n\x0c                      The Internal Revenue Service Should Implement an\n                       Efficient Internal Information Security Continuous\n                      Monitoring Program That Meets Its Security Needs\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJoseph F. Cooney, Audit Manager\nCari Fogle, Lead Auditor\nMidori Ohno, Senior Auditor\nSam Mettauer, Information Technology Auditor\n\n\n\n\n                                                                                     Page 16\n\x0c                     The Internal Revenue Service Should Implement an\n                      Efficient Internal Information Security Continuous\n                     Monitoring Program That Meets Its Security Needs\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Operations OS:CTO\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, Enterprise Services OS:CTO:ES\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nDirector, Security Risk Management OS:CTO:C:SRM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 17\n\x0c                        The Internal Revenue Service Should Implement an\n                         Efficient Internal Information Security Continuous\n                        Monitoring Program That Meets Its Security Needs\n\n\n                                                                                 Appendix IV\n\n        National Institute of Standards and Technology\n                 Security Automation Domains\n\n Security\nAutomation\n Domain                                             Description\n\n  Asset         Asset management tools help maintain inventory of software and hardware within\nManagement      the organization. This can be accomplished via a combination of system\n                configuration, network management, and license management tools or with a\n                special-purpose tool. NOTE: The CONOPS defines this area as Hardware Asset\n                Management and Software Asset Management and makes them two separate\n                domains, which equal four domains for Phase 1.\nVulnerability   A vulnerability is a software flaw that introduces a potential security exposure.\nManagement      Vulnerability scanners are commonly used in organizations to identify known\n                vulnerabilities on hosts and networks and on commonly used operating systems and\n                applications. These scanning tools can proactively identify vulnerabilities, provide\n                a fast and easy way to measure exposure, identify out-of-date software versions,\n                validate compliance with an organizational security policy, and generate alerts and\n                reports about identified vulnerabilities. NOTE: The CONOPS includes this domain\n                in Phase 1.\nConfiguration Configuration management tools allow administrators to configure settings,\nManagement monitor changes to settings, collect setting status, and restore settings as needed.\n              NOTE: The CONOPS includes this domain in Phase 1.\n  Patch         Patch management tools scan for vulnerabilities on systems and system components\nManagement      participating in an organization\xe2\x80\x99s patching solution, provide information regarding\n                needed patches and other software updates on affected devices, and allow an\n                administrator to decide on the patching implementation process.\n  Event         Event management involves monitoring, and responding to as necessary,\nManagement      observable occurrences in a network or system. A variety of tools and technologies\n                exist to monitor events, such as intrusion detection systems and logging\n                mechanisms. Some tools may detect events based on known attack signatures,\n                while others detect anomalies in behavior or performance that could indicate an\n                attack.\n\n                                                                                          Page 18\n\x0c                       The Internal Revenue Service Should Implement an\n                        Efficient Internal Information Security Continuous\n                       Monitoring Program That Meets Its Security Needs\n\n\n\n Security\nAutomation\n Domain                                           Description\n\n Incident     Certain events may signal that an incident has occurred, which is a violation or\nManagement    imminent threat of violation of computer security policies, acceptable use policies,\n              or standard computer security practices. Incident management tools may assist in\n              detecting, responding to, and limiting the consequences of a malicious cyberattack\n              against an organization.\n Malware      Malware detection provides the ability to identify and report on the presence of\n Detection    viruses, Trojan horses, spyware, or other malicious code on or destined for a target\n              system.\n Network      Network configuration management tools include host discovery, inventory,\nManagement    change control, performance monitoring, and other network device management\n              capabilities. Some network configuration management tools automate device\n              configuration and validate device compliance against preconfigured policies.\n              Network management tools may be able to discover unauthorized hardware and\n              software on the network, such as a rogue wireless access point.\n License      Similar to systems and network devices, software and applications are also a\nManagement    relevant data source for the ISCM program. Software asset and licensing\n              information may be centrally managed by a software asset management tool to\n              track license compliance, monitor usage status, and manage the software asset life\n              cycle. License management tools offer a variety of features to automate inventory,\n              utilization monitoring and restrictions, deployment, and patches for software and\n              applications.\nInformation   There are vast quantities of digital information stored across the myriad of systems,\nManagement    network devices, databases, and other assets within an organization. Managing the\n              location and transfer of information is essential to protect the confidentiality,\n              integrity, and availability of the data.\n Software     The NIST Software Assurance Metrics and Tool Evaluation project defines\n Assurance    software assurance as the \xe2\x80\x9cplanned and systematic set of activities that ensures that\n              software processes and products conform to requirements, standards, and\n              procedures from NASA Software Assurance Guidebook and Standard to help\n              achieve: (1) Trustworthiness \xe2\x80\x93 No exploitable vulnerabilities exist, either of\n              malicious or unintentional origin (2) Predictable Execution \xe2\x80\x93 Justifiable confidence\n              that software, when executed, functions as intended.\xe2\x80\x9d\n\n\n\n                                                                                          Page 19\n\x0c                       The Internal Revenue Service Should Implement an\n                        Efficient Internal Information Security Continuous\n                       Monitoring Program That Meets Its Security Needs\n\n\n                                                                           Appendix V\n\n       Office of Management and Budget Deadlines\n\n\xc2\xa0                                                           Responsible\n          Required Action\xc2\xa0               Deadline\xc2\xa0            Entity           IRS Status\xc2\xa0\n\n1   Develop ISCM program            February 28, 2014.    All agencies.   Completed\n    strategy (or strategies).                                             August 9, 2013.\n2   Identify resource and skill     April 30, 2014.       All agencies.   Completed\n    requirement gaps (if any) to                                          April 30, 2014.\n    manage and coordinate the\n    internal ISCM program.\n3   Identify specific individuals   April 30, 2014.       All agencies.   Completed\n    to manage the agency\xe2\x80\x99s                                                April 14, 2014.\n    ISCM program.\n4   Complete the CDM program        Immediately, if not   All civilian    Completed survey of\n    foundational survey and         already completed.    agencies.       data tools. Sent to\n    return to the DHS.                                                    the Treasury\n                                                                          Department on\n                                                                          December 3, 2013.\n5   Sign Memorandum of              Immediately, if not   All civilian    The Treasury\n    Agreement with the DHS.         already completed.    agencies        Department is in\n                                                          receiving DHS   contact on behalf of\n                                                          CDM program     the IRS.\n                                                          services.\n6   Begin to procure products       February 28, 2014.    All agencies.   Satisfied by the\n    and services to support                                               Treasury Department\n    Phase 1 focus areas (as                                               by purchase of\n    described in the CONOPS).                                             DbProtect for\n                                                                          bureaus in Fall 2013.\n                                                                          Also, the DHS has\n                                                                          pushed the meetings\n                                                                          with vendors into\n                                                                          FY 15.\n\n\n\n                                                                                   Page 20\n\x0c                      The Internal Revenue Service Should Implement an\n                       Efficient Internal Information Security Continuous\n                      Monitoring Program That Meets Its Security Needs\n\n\n\n\xc2\xa0                                                            Responsible\n          Required Action\xc2\xa0               Deadline\xc2\xa0             Entity             IRS Status\xc2\xa0\n\n7   Begin to deploy products to     May 30, 2014.          All agencies.   Completed; the IRS\n    support ISCM for all                                                   already has products\n    systems.                                                               in deployment.\n8   Ensure that all information     May 30, 2014.          All agencies.   Completed; the\n    systems are authorized to                                              information systems\n    operate in accordance with                                             for Phase 1 at the\n    Federal requirements prior to                                          IRS have\n    initiating ISCM for those                                              authorization to\n    systems.                                                               operate.\n9   Publish technical               Three months prior     The DHS.        N/A.\n    specifications for agency       to deployment of the\n    data feeds for Phase 1 focus    Federal dashboard.\n    areas to the Federal\n    dashboard.\n10 Ensure that all Phase 1          Within three months    All agencies.   To be determined.\n   products necessary to meet       of the Federal\n   DHS reporting requirements       dashboard being\n   provide data compatible with     deployed.\n   the Federal dashboard\n   maintained by the DHS.\n11 Complete installation of         Within six months of All agencies.     To be determined.\n   agency- and                      the Federal\n   bureau/component-level           dashboard being\n   dashboards.                      deployed.\n12 Begin submitting automated       Within six months of All agencies.     To be determined.\n   data feeds for Phase 1 focus     the Federal\n   areas to the Federal             dashboard being\n   dashboard.                       deployed.\n13 Publish guidance            March 31, 2014.             The NIST.       Issued June 2014.\n   establishing a process and\n   criteria for agencies to\n   conduct ongoing assessments\n   and authorizations.\n\n\n\n                                                                                      Page 21\n\x0c                       The Internal Revenue Service Should Implement an\n                        Efficient Internal Information Security Continuous\n                       Monitoring Program That Meets Its Security Needs\n\n\n\n\xc2\xa0                                                          Responsible\n           Required Action\xc2\xa0            Deadline\xc2\xa0             Entity           IRS Status\xc2\xa0\n\n14 Update ISCM program            Within three months    All agencies.   In progress.\n   strategies to describe the     of receiving\n   process for performing         additional guidance\n   ongoing authorizations.        in this area (either\n                                  from the NIST, the\n                                  DHS, and/or the\n                                  Joint Continuous\n                                  Monitoring Working\n                                  Group).\n15 Determine whether agencies November 15, 2014          Inspectors      Completed\n   have documented their ISCM (and each year             General.        August 2013.\n   program strategy.          thereafter).\n16 Assess whether agencies        November 15, 2014      Inspectors      To be determined.\n   have implemented ISCM for      (and each year         General.\n   information technology         thereafter).\n   assets.\n17 Evaluate agencies\xe2\x80\x99 risk      November 15, 2014        Inspectors      To be determined.\n   assessments used to develop (and each year            General.\n   their ISCM program strategy. thereafter).\n18 Verify that agencies conduct   November 15, 2014      Inspectors      To be determined.\n   and report on ISCM program     (and each year         General.\n   results in accordance with     thereafter).\n   their continuous monitoring\n   strategy.\n\n\n\n\n                                                                                  Page 22\n\x0c       The Internal Revenue Service Should Implement an\n        Efficient Internal Information Security Continuous\n       Monitoring Program That Meets Its Security Needs\n\n\n                                                    Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                             Page 23\n\x0cThe Internal Revenue Service Should Implement an\n Efficient Internal Information Security Continuous\nMonitoring Program That Meets Its Security Needs\n\n\n\n\n                                                      Page 24\n\x0cThe Internal Revenue Service Should Implement an\n Efficient Internal Information Security Continuous\nMonitoring Program That Meets Its Security Needs\n\n\n\n\n                                                      Page 25\n\x0c'